dcfldd

Copy a disk to a raw image file and hash the image using SHA256

$ dcfldd if=[/dev/disk_device] of=[file.img] hash=sha256 hashlog=[file.hash]

$ dcfldd if=[/dev/disk_device] of=[file.img] hash=[sha512|sha384|sha256|sha1|md5] hashlog=[file.hash] hashwindow=[1G]

dcfldd [OPTION]... [if=FILE] [of=FILE] [bs=BYTES]...

if=FILE
    Specifies the input file (or device) to read from.

of=FILE
    Specifies the output file (or device) to write to.

bs=BYTES
    Sets the block size in bytes for both input and output. Reads and writes BYTES bytes at a time.

count=BLOCKS
    Copies only BLOCKS input blocks.

skip=BLOCKS
    Skips BLOCKS input blocks before starting to copy.

seek=BLOCKS
    Skips BLOCKS output blocks before starting to write.

hash=ALGORITHM
    Specifies the hash algorithm(s) to compute on the fly (e.g., md5, sha1, sha256, sha512). Multiple algorithms can be specified separated by commas.

hashlog=FILE
    Logs the computed hash results to the specified FILE.

hashwindow=BYTES
    Specifies the block size for hash calculation, allowing hashes of portions of the input.

hashformat=FORMAT
    Controls the output format of hash logs (e.g., md5sum, sha1sum, raw).

statusinterval=SECONDS
    Provides status updates (bytes copied, elapsed time, transfer rate) every SECONDS.

errlog=FILE
    Logs read errors and their locations (bad blocks) to the specified FILE.

abortonerror=on/off
    Controls whether dcfldd aborts upon encountering read errors. Default is off (continue on error).

mtef=on/off
    Enables/disables Multi-Target Error Flagging, indicating if an error occurred for a specific output file when writing to multiple destinations.

map=on/off
    Creates a 'map' file that indicates successful and failed reads, useful for damaged media.

wipesig=SIGNATURE
    Wipes the output with a repeating byte sequence defined by SIGNATURE.

wipebyte=BYTE
    Wipes the output with a single specified BYTE.

noerror
    Continues after read errors (similar to conv=noerror).

sync
    Pads every input block with NULs to the specified bs size (similar to conv=sync).

conv=notrunc
    Do not truncate the output file; preserve existing data outside the written area.

conv=nocreat
    Do not create the output file; it must already exist.

dcfldd is a modified version of the standard Unix/Linux dd command, specifically designed for digital forensics and data acquisition. While dd is a powerful tool for low-level copying, dcfldd extends its capabilities to address crucial requirements in forensic investigations. Its primary enhancements include on-the-fly hashing (supporting MD5, SHA1, SHA256, SHA512), which ensures data integrity by allowing verification of the acquired image against the source without a separate hashing pass.

It also provides detailed progress reporting, estimates of completion time, and improved error handling, such as logging bad blocks and continuing acquisition despite read errors. Furthermore, dcfldd can wipe disks securely and verify the wiping process. These features make dcfldd an indispensable tool for forensic examiners, enabling them to create forensically sound images of storage media while maintaining an auditable chain of custody.

While highly effective, dcfldd can be slower than plain dd due to the overhead of on-the-fly hashing and enhanced error handling. Users must exercise extreme caution when specifying input (if) and output (of) files, as incorrect usage can lead to irreversible data loss on the target device. Although still widely used in digital forensics, its development has not been as active as the core dd utility in recent years.

One of the most significant advantages of dcfldd is its ability to calculate cryptographic hashes (like MD5 or SHA-1) of the source data simultaneously during the copying process. This 'on-the-fly' hashing ensures that the acquired image is an exact, unaltered replica of the original source, a fundamental requirement for maintaining the integrity and admissibility of digital evidence in legal proceedings. The hash values can be logged to a separate file, providing an auditable record of the acquisition.

Unlike standard dd, which might halt upon encountering read errors, dcfldd offers more robust error handling capabilities. It can be configured to continue copying even when bad blocks are encountered, logging the locations of these errors to a specified file. This feature is crucial when dealing with damaged or failing storage media, allowing forensic examiners to maximize data recovery while documenting any unreadable sectors.

dcfldd was developed by the Digital Forensics Lab at the DoD Cyber Crime Center (DC3) to provide enhanced capabilities for digital evidence acquisition beyond what the standard dd command offered. Its primary goal was to ensure data integrity during imaging processes by integrating features like on-the-fly hashing and improved error handling, which are critical in forensic investigations. Since its initial release, it has become a staple tool in the digital forensics community, widely adopted for creating forensically sound copies of storage media.

dd(1), md5sum(1), sha1sum(1), sha256sum(1), blkdiscard(8), foremost(1), testdisk(8)